Imagine it’s 1995, and you’re about to put your company’s office on the Internet. Your security has been solid in the past—you’ve banned people from bringing floppies to work with games, you’ve installed virus scanners, and you run file server backups every night. So, you set up the Internet router and give everyone TCP/IP addresses. It’s not like you’re NASA or the Pentagon or something, so what could go wrong?

That, in essence, is the security posture of many modern automobiles—a network of sensors and controllers that have been tuned to perform flawlessly under normal use, with little more than a firewall (or in some cases, not even that) protecting it from attack once connected to the big, bad Internet world. This month at three separate security conferences, five sets of researchers presented proof-of-concept attacks on vehicles from multiple manufacturers plus an add-on device that spies on drivers for insurance companies, taking advantage of always-on cellular connectivity and other wireless vehicle communications to defeat security measures, gain access to vehicles, and—in three cases—gain access to the car’s internal network in a way that could take remote control of the vehicle in frightening ways.

While the automakers and telematics vendors with targeted products were largely receptive to this work—in most cases, they deployed fixes immediately that patched the attack paths found—not everything is happy in auto land. Not all of the vehicles that might be vulnerable (including vehicles equipped with the Mobile Devices telematics dongle) can be patched easily. Fiat Chrysler suffered a dramatic stock price drop when video of a Jeep Cherokee exploit (and information that the bug could affect more than a million vehicles) triggered a large-scale recall of Jeep and Dodge vehicles.

And all this has played out as the auto industry as a whole struggles to understand security researchers and their approach to disclosure—some automakers feel like they’re the victim of a hit-and-run. The industry's insular culture and traditional approach to safety have kept most from collaborating with outside researchers, and their default response to disclosures of security threats has been to make it harder for researchers to work with them. In some cases, car companies have even sued researchers to shut them up.

Sticker shock

By contrast, Tesla has embraced a coordinated disclosure policy. The company recently announced a vehicle security bug bounty program that offers $10,000 for reproducible security vulnerabilities. Tesla even participated in the presentation of vulnerabilities discovered by outside researchers in the Tesla S' systems at DEF CON. The company's chief technology officer, JB Straubel, appeared on stage with the researchers who performed the penetration test of the Tesla S—Marc Rogers of Cloudflare and Lookout Security CTO and co-founder Kevin Mahaffey—in order to present them with Tesla "challenge coins" for their work.

But no one from Fiat Chrysler was anywhere near the stage when Charlie Miller and Chris Valasek presented their findings on Uconnect. And it might be a while before any other carmaker makes a move to embrace the security community in the wake of the Chrysler recall.

It's not like Miller and Valasek caught Fiat Chrysler by surprise. Miller told Ars that he worked with Fiat-Chrysler throughout his many months of research, advising them of what he and Valasek found. The company had already issued a patch to fix the problems, but it was only a voluntary update to be performed using USB. Sprint moved to block remote access to the network connection on Chrysler vehicles that Miller and Valasek's attack exploited just before the pair revealed their research at Black Hat.

Charlie Miller (left) and Chris Valasek present the details of their hacks of the Fiat Chrysler Uconnect system at Black Hat in Las Vegas on August 5.

Sean Gallagher

An anonymized Jeep on display (and getting its dash dismantled) at the Car Hacker Village at DEF CON.

Sean Gallagher

Still, it wasn't until after Wired published video of reporter Andy Greenberg in the driver's seat on an interstate highway reacting to the vehicle's throttle being remotely taken over that Chrysler issued a recall on over a million affected vehicles. Miller said that the demonstration for Wired was completely safe. "It wasn't nearly as bad as the Wired video made it look," he said, explaining that what he and Valasek had done to Greenberg was the same as would happen to any driver during a typical breakdown. Greenberg still had control of the wheel and limited acceleration, according to Miller, and the reporter would have been able to maneuver to a shoulder. But even if things looked a tad over dramatic, Miller felt that the highway demonstration was needed to make the problem real to the American public and to Chrysler. After all, other researchers funded by DARPA—the same program that had funded previous research by Miller and Valasek— demonstrated the same sort of attack for 60 Minutes only a few months earlier with reporter Leslie Stahl driving on a closed course in a parking lot. That time, however, the brand of the car was concealed, and the test took place on a closed circuit. "People couldn't relate it to real life," Miller said.

Beyond awareness, the video of the researchers shouting "You're doomed!" to Greenberg as they took remote control may have other consequences. At least two automakers that planned to announce new initiatives to cooperate with security researchers during the DEF CON 23 pulled back in the wake of the Uconnect disclosure, according to Joshua Corman, one of the founders of I Am The Cavalry. This grassroots organization focuses on cybersecurity and public safety issues by lobbying automakers to adopt better software security practices. According to Corman, the news coverage triggered intervention by company attorneys who saw the Wired video as a "reckless stunt."

"Right now people are cheering [Miller and Valasek] as heroes," Corman told Ars. "But what they don't see are the hidden costs that have been paid. Right now it could just set us back for a little while, or it could set us back permanently."

No one at Ford, GM, and Chrysler would talk with Ars about their strategy for uncovering potential security issues in software that could be used for "cyber-physical" attacks—hacks that could have an impact in the physical world by interfering with the operation of cars. Ford would only provide the following statement:

Ford takes cyber security very seriously. We invest in security solutions that are built into the product from the outset. We are not aware of any instance in which a Ford vehicle was infiltrated or compromised in the field. Our cyber security team routinely monitors, investigates, resolves concerns, and works to mitigate threats. Our communications and entertainment systems feature a different architecture than what was hacked, but we are interested in learning more about the Chrysler Uconnect, GM Onstar, and Tesla issues and whether there are additional enhancements we can make in our vehicles. Our security team has developed hardware and software safeguards as well as specific processes to help mitigate remote access risks in all our vehicles, whether they feature embedded cellular connections or not.

For his part, Miller said he's done with car hacking for now. He achieved his goals, but there are plenty of other security researchers in line to try to help the industry. Corman believes automakers need to work with them because the number of potential security bugs is only going to grow as vehicles continue to add software-based functionality and connectivity to the Internet.